Delegation of AzMan objects allows creation of user/group objects

Applies to: Windows Server 2008 StandardWindows Server 2008 EnterpriseWindows Server 2008 R2 Enterprise

Symptoms


When an Administrator or application creates and delegates Authorization Manager (Azman) object in Active Directory and then performs object permissions delegation to allow standard domain users control over these objects, the delegated user account is then able to perform operations such as creation of user or group accounts. Azman object types related to this issue are msDS-AzAdminManager,msDS-AzApplication and msDS-AzScope.

Cause


Given the default schema definition of these object types, a user who is been delegated permissions to create these Azman objects can in turn also obtain permission to create user and group objects in some circumstances. This is by design behavior given the reliance of Azman object classes upon container class objects. However, for Administrators delegating these objects, the behavior can be unexpected and/or unwanted in some Enterprise environments.

Resolution


In order to allow for delegation of these Azman objects without also allowing the creation of these unwanted object types, the solution is to edit the Active Directory Schema to modify the default security permissions for the objects in question.

Generic instructions and cautions for editing default schema permissions are referenced here:

265399 HOW TO: Change Default Permissions for Objects That Are Created in the Active Directory
http://support.microsoft.com/kb/265399/EN-US

Using instructions from KB265399, The solution is the modify the following objects:

msDS-AzAdminManager, msDS-AzApplication and msDS-AzScope

as follows:

Using ADSIEdit.msc:

The default security descriptor attribute contains several all of the ACL entries for the object.

For example:

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;CO)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)

Modify the entry for Creator/Owner:

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;CO)

For each object type, modify Creator/Owner portion (CO) of the default security description to look as follows:

(A;;LCSWRPWPSDRC;;;CO)

Ensure to only modify the Creator/Owner portion of the default security descriptor attribute leaving the other sections of the default security descriptor unchanged.

The resulting security descriptor attribute would then appear as follows:

D:(A;;LCSWRPWPSDRC;;;CO)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)


Using Active Directory Schema MMC snap-in:

Alternatively, the default security descriptor for each object type may be modified using the Active Directory Schema MMC snap-in.

For each object type, locate the object name under Active Directory Schema Classes folder in the Active Directory Schema MMC snap-in.

Right-click on the object class name and select Properties.

Select the "Default Security" tab on the object properties.

Select the "CREATOR OWNER" entry under the Group or user names list box.

With "CREATOR OWNER" highlighted, click the Advanced button.

With "CREATOR OWNER" highlighted, click the Edit button.

In the Permissions listing, by default all permissions options will be checked under the Allow column.

De-select the check box for Allow for the following items:

Full Control, Modify Permissions, Modify Owner.

Click OK.

Click Apply and Click OK in order to save these changes.



More Information


By default, the default schema permissions for these objects gives creator/owner full control. When a user account is delegated permissions to create these objects, the user account is given full control permissions over the new object created. The Azman objects in question are container class objects and are allowed to create child objects of container class objects as defined by the schema. This allows the delegated user ability to create object types such as user and groups account within these newly created container class objects. While the delegated user is given these permissions by the administrator, it is not intuitive to the administrator that delegating permissions to create the Azman objects would in turn allow for creation of user/group objects which Administrators typically wish to restrict for secureity reasons.